BS Filtering for CISOs: An Introduction

February 25th, 2009

After spending a good amount of time in the information security industry, I have come to realize that one of the most important concepts for a security professional is that of properly filtering noise and BS. For technical professionals running intrusion detection engines and firewalls, filtering noise is probably most important, since you want to pay attention to the events that matter. For management, let’s say CISOs specifically, you need to tune a different kind of filter: The BS filter. Since I’ve been a CISO, talked to CISOs extensively, work with them now in multiple roles, train them with SANS, etc, I thought I’d start a little mini-series on the blog that outlined some of my lessons learned along the way.

Today, I’ll start with an introduction to the topic – why is BS filtering so important, and what forms can it take?

Let’s start with why BS filtering is important. Intuitively, I’m sure everyone reading this knows that getting BS’ed is not a good thing. The fact of the matter, though, is that we all do it. The degree to which we BS people and allow ourselves to be BS’ed will vary, of course, but it’s just a part of life. This can range from a simple scenario like making an excuse for why you can’t go out for drinks with coworkers, to a serious CYA elaboration to prevent yourself from getting canned due to being late on a project. Either way, we all do it. You can be the most integral person in the world, you still do some of it. It’s just human nature.

Why do CISOs need good BS filtering, though? For starters, it is the CISOs job to manage risk in an enterprise. Period. A good CISO knows that managing information-centric risk and advising senior management are the top priorities, and it is just flat-out impossible to do this when you believe everything people tell you. Thus…you need some healthy paranoia and skepticism. I’ll emphasize the “healthy” part – no one likes a freak that inherently distrusts everyone and creeps around developing conspiracy theories, either. I meet quite a few ANNOYING security people in this category, and it does not surprise me that they don’t get invited to many parties. But a little healthy skepticism goes a long way in this business. Why? Because Michael Santarcangelo has it right – security is really a “people problem” at the end of the day, and people are always selling something. Themselves, their projects, their opinions on security/risk/whatever. Being able to recognize when people are full of it, and to what degree, is a very valuable skill in determining how to manage risk in many cases. A few examples should help.

You are going to hire a new security analyst/architect/engineer. The resume looks stellar. This lady smiles, is fairly charming and pleasant, and can talk the talk. The primary job responsibilities are pretty technical in nature, but she has a bunch of certifications and lists every product and acronym known to man on her resume. Must be good, right? Bottom line – be skeptical. Her job is to sell you on hiring her. Do a thorough technical interview with other technical staff included, ask a few tough questions about specific technology or technical topics, maybe even do a little hands-on. I have caught more people full of sh*t in interviews than I care to recall.

That project manager (in many ways, the unholiest profession EVER, most IT people I know hate these folks) explains that there’s no need for a security review cycle to be built into Project X, because blah blah blah. That’s exactly how you should treat it, too – don’t let them snow you on this one.

The business unit manager explains that they need to buy Product Z to get the job done, and they are in a rush. This may not be BS, at least in his mind, but you should be skeptical and push a little deeper – can we review Product Z? Is there adequate time to test? Are there other reasons for wanting Product Z, and only Product Z?

A malware-related incident is underway, and you are hearing conflicting reports of how bad the damage is. Business unit says one thing, your security guy says another. These situations are tough – who do you trust? Common sense may say to trust your staff, but maybe you need this business unit as a political ally and you don’t want to just automatically alienate them. Most of the time, this situation can be facilitated by having the technical skills to cut through the jargon. If you don’t have enough technical acumen to understand at least the basic elements of the situation, you’ll get BS’ed in many cases.

There are a million more of these – people try to BS the security folks all the time. In future installments, I’ll walk through some specific case scenarios and give my <gasp!> opinions on how to recognize and properly filter the BS.

Nice Post Dave. I totally agree with your assessments not only on the BS filter but also that security really is a “people” problem, always has and always will be! The more successful CISO’s solve problems that way, not through technology!

Great points! Sometimes that BS filter can be external. A colleague and I have been the BS Filter for my manager and CIO for a couple of years now. When he thinks he may be getting snowed, he calls one of us into the discussion to filter out the “stuff” that is being shoveled his way.

It’s important as a CIO/CISO/Security Manager to have someone you trust that you can filter things through especially if that CIO/CISO/Security Manager was placed in that role for his management skills and not necessarily his technical skills.